Ethernet Switching
Reply
Visitor
kcray
Posts: 8
Registered: ‎12-22-2011
0

Firewall filtering want to make sure i understand this

I am teaching myself firewall filtering on a couple of ex switches and wanted to verify my understanding of how the filter would procces the 2 terms below that are part of one filter.

 

term  term-one {

          From {

                     source-mac-address { 00:00:01:e1:de:00:be/48;

                      {

                    source-address  {192.168.1.18/32;

                      }

                    }

            then {

                       discard;

                        syslog;

                     }

                      }  

term term-two {

                          then {

                                     accept;

                             }

                          }

 

if source-address and source-mac-address match in term-one then it will discard the packet and generate a syslog message.  and if it does not match in term-one , then the rest of traffic should match in term-two  and be accept.

 

Trusted Contributor
martinbrown2k
Posts: 162
Registered: ‎04-23-2011
0

Re: Firewall filtering want to make sure i understand this

Yes, it would do as you said, however, why would you want to?  In the real world, the MAC address should be unique, so there would be no need to have both options present.

 

If you didn't apply the second term, then you would have an implicit deny as well, so putting the second term covers all other traffic, so well done.

 

I'm not sure if you have seen the fasttrack learning resources, however, in the

JNCIS-ENT Switching Study Guide, chapter 5 details firewall filters on EX switches and where you can apply them.  You can access them here:  https://learningportal.juniper.net/juniper/user_fasttrack_home.aspx.  They are located under the JNCIS section.

Martin Brown
Juniper Ambassador
Network Security Engineer
JNCIA-Junos, JNCIS-ENT
CCNA Wireless, CCNP, CCNP Security, CCDA
HE IPv6 Sage, IPv6 Forum Gold Engineer
MCSE
Recognized Expert
erdems
Posts: 191
Registered: ‎12-30-2008
0

Re: Firewall filtering want to make sure i understand this

 

Hey there,

 

 Reading this filter, I would assume there is a constraint between the mac (physical device) and IP address, potentially some redundancy/backup_mode enforcing; hence including both as a from statement.

 

 Cheers,

____________________________________________
If you think your question's answered, please
mark the respective post as "Accepted Solution".

Kudos are an excellent way of showing appreciation, too.
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.